<p>Amazon Elastic File System (EFS) is a serverless file system that does not require provisioning or managing storage. Stored files can be
automatically encrypted by the service. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are
not able to access the data.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The file system contains sensitive data that could cause harm when leaked. </li>
  <li> There are compliance requirements for the service to store data encrypted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to encrypt EFS file systems that contain sensitive information. Encryption and decryption are handled transparently by EFS, so no
further modifications to the application are necessary.</p>
<h2>Sensitive Code Example</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_efs.FileSystem.html"><code>aws_cdk.aws_efs.FileSystem</code></a></p>
<pre>
import { FileSystem } from 'aws-cdk-lib/aws-efs';

new FileSystem(this, 'unencrypted-explicit', {
    vpc: new Vpc(this, 'VPC'),
    encrypted: false // Sensitive
});
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_efs.CfnFileSystem.html"><code>aws_cdk.aws_efs.CfnFileSystem</code></a></p>
<pre>
import { CfnFileSystem } from 'aws-cdk-lib/aws-efs';

new CfnFileSystem(this, 'unencrypted-implicit-cfn', {
}); // Sensitive as encryption is disabled by default
</pre>
<h2>Compliant Solution</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_efs.FileSystem.html"><code>aws_cdk.aws_efs.FileSystem</code></a></p>
<pre>
import { FileSystem } from 'aws-cdk-lib/aws-efs';

new FileSystem(this, 'encrypted-explicit', {
    vpc: new Vpc(this, 'VPC'),
    encrypted: true
});
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_efs.CfnFileSystem.html"><code>aws_cdk.aws_efs.CfnFileSystem</code></a></p>
<pre>
import { CfnFileSystem } from 'aws-cdk-lib/aws-efs';

new CfnFileSystem(this, 'encrypted-explicit-cfn', {
    encrypted: true
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/efs/latest/ug/encryption.html">AWS Documentation</a> - Data encryption in Amazon EFS </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
</ul>
